All news with #secrets management tag

🔐 AWS Secrets Manager now supports managed external secrets for Datadog vended keys and Snowflake Programmatic Access Tokens, enabling automatic rotation of third-party credentials directly within Secrets Manager. The update covers Datadog API keys, Application keys, and admin credential pairs for service accounts. For Snowflake, Secrets Manager can rotate Programmatic Access Tokens using Snowflake's native authentication and offers a configurable grace period to minimize disruption. These additions join existing integrations such as BigID, Confluent Cloud, MongoDB Atlas, and Salesforce and are available in all Regions where managed external secrets is supported.

🔐 This post explains why API keys are sensitive credentials for accessing Google AI and Cloud services and why careless handling leads to misuse or billing abuse. It outlines simple, actionable steps: create keys in dedicated projects, apply API and application restrictions, and store keys in Secret Manager or equivalent. The article also covers detection and response—how to list keys, monitor usage metrics, delete compromised keys, and rotate keys to reduce risk.

🚨 The Mini Shai-Hulud worm resurfaced in a coordinated supply-chain wave that published 639 malicious versions across 323 npm packages tied to the AntV visualization ecosystem on 19 May, lasting roughly an hour. Analysis by Socket and updates from Microsoft show the payload added preinstall hooks executing an obfuscated Bun bundle to harvest cloud and CI secrets. Many affected packages are high-download dependencies and the compromised maintainer account held rights to over 500 packages. Responders should pin pre-19 May versions, rotate exposed credentials and audit GitHub for forged repository activity.

🔒 A public GitHub repository tied to a suspected CISA contractor exposed plain-text credentials—AWS tokens, GitHub access tokens, Kubernetes files, workflows and internal documents—discovered on May 14 by GitGuardian. The repo, active since November 13, 2025, contained roughly 844 MB of data and was taken offline within a day after disclosure. CISA is investigating and reports no current indication of sensitive compromise. Experts recommend centralized secret management, automated secret scanning, strict vendor controls and MFA to prevent similar exposures.

🔐 Recent supply chain campaigns that struck npm, PyPI, and Docker Hub within a 48-hour window illustrate a shift: attackers now target developer environments and CI/CD contexts to harvest API keys, tokens, SSH keys, and cloud credentials. The piece explains how local repositories, .env files, package configs, and AI assistants concentrate sensitive context and delivery authority on individual machines. It urges security teams to treat the developer workstation as a local supply chain boundary and to align endpoint, identity, AppSec, and platform controls to detect, limit, and rapidly rotate exposed secrets.

🔒 The AWS Secrets Manager Agent now supports pre-fetching secrets at startup and assuming an IAM role for retrieval. With pre-fetching you can specify a list of secrets or a tag to retrieve and cache via BatchGetSecretValue, reducing application startup latency and API overhead. The agent can also assume a provided role ARN per pre-fetch or HTTP request to enable cross-account secret retrieval. These capabilities are available in all Regions where Secrets Manager is offered.

🔒 AI-assisted "vibe" coding makes building apps fast but frequently yields insecure or nonfunctional code that can expose sensitive data. Non-technical creators should treat AI output as a draft: verify and test code, protect secrets by using environment variables, prefer reputable libraries, and enforce secure defaults. Regular backups, sandbox testing, dependency updates, and secret scanning help reduce exposure.

🔒 AWS Key Management Service (KMS) now surfaces the timestamp, operation type, and AWS CloudTrail event ID for the last cryptographic operation performed with each KMS key, viewable in the console or via API. This eliminates manual log queries and helps administrators and compliance teams quickly identify unused keys, verify active usage, and trace key activity. A new condition key, kms:TrailingDaysWithoutKeyUsage, enables policy-based protection against accidental deletion of recently used keys, and the capability is available in all AWS Regions including GovCloud and China.

🔐 AWS Secrets Manager now supports managed external secrets for MongoDB Atlas and Confluent Cloud, enabling centralized secret storage and automatic rotation without building custom Lambda rotation functions. The MongoDB integration handles database user credentials (SCRAM) and service account OAuth client ID/secret; Confluent automates API key rotation for service accounts with cluster-scoped and cloud resource management keys. Automatic rotation is enabled by default to remove hardcoded credentials and reduce operational overhead.

🔒 AWS Glue now supports OAuth 2.0 for native Snowflake connectivity, allowing customers to read from and write to Snowflake without sharing persistent user credentials. This token-based authorization uses temporary access tokens to eliminate credential management, enabling granular permissions and improved auditability. The built-in AWS Glue Snowflake connector with OAuth is available in all AWS commercial regions, simplifying secure data integration.

🔐 This live webinar explains why unmanaged non-human identities—service accounts, API tokens, AI agent connections, and OAuth grants—are now a primary vector for cloud breaches. You will learn a repeatable discovery process to surface every automated credential, a framework to right-size permissions, and how to implement an automated lifecycle policy so dead credentials are revoked. Attendees receive an Identity Cleanup Checklist to apply immediately.

🔐 Cloudflare announces updates to secure non-human identities—agents, scripts, and third-party tools—by enhancing credential detection, OAuth visibility, and resource-scoped RBAC. New scannable token formats (with identifiable prefixes and checksums) and integration with GitHub Secret Scanning enable rapid verification and automated revocation of leaked tokens. Cloudflare One DLP extends prevention across network, email, SaaS, and AI traffic. The Dashboard now surfaces connected OAuth apps and permissions to simplify review and revocation.

⚠ The SANS Institute warns that rapid adoption of agentic AI is outpacing security controls, driving a 76% rise in non-human identities (NHIs) such as service accounts, API keys and automation bots. Based on interviews with more than 500 security professionals for the 2026 State of Identity Threats & Defenses Survey, SANS identified widespread credential hygiene failings and a surge in agent-linked NHIs that can double or triple in number. The report highlights that many organizations do not rotate machine credentials on a 90-day cycle and lack coordinated AI governance, and recommends secrets vaults, automated rotation and scoped least-privilege access to mitigate risk.

🔒 Digital assets left after death — from emails and social media to passwords and crypto wallets — can complicate an already traumatic time for families and create new fraud opportunities. The legal landscape is fragmented: RUFADAA in the US, a proposed UK bill and ELI efforts in Europe offer partial solutions, but platform policies remain inconsistent. Practical steps include creating a digital inventory, appointing legacy contacts (e.g., Facebook/Instagram Legacy Contact, Google Inactive Account Manager, Apple Digital Legacy) and using emergency access features in password managers. Also file tax returns, place deceased alerts on credit reports, cancel subscriptions, and be wary of scams targeting grieving relatives.

🔒 GitGuardian's State of Secrets Sprawl 2026 shows leaks accelerated in 2025, uncovering 29 million new hardcoded secrets — a 34% year-over-year increase and the largest single-year jump recorded. The report highlights three core trends: AI-driven credential exposures, unexpectedly widespread internal-repo and collaboration-tool leaks, and persistent remediation failures. It urges a shift from detection to continuous non-human identity governance, secrets vaulting, and automated rotation to reduce attacker access.

🔐Betterleaks is a new open-source secrets scanner developed by Zach Rice and supported by Aikido Security as the successor to Gitleaks. It inspects directories, files, and Git repositories using rule-defined validation with CEL and a token-efficiency approach based on BPE tokenization. Implemented in pure Go to avoid CGO/Hyperscan dependencies, Betterleaks adds automatic decoding of doubly/triply encoded secrets, expanded provider rules, and parallelized Git scanning for faster analysis. The project is MIT-licensed and maintained by a small, cross-industry team.

🔐 Security researchers have documented an infostealer attack that exposed sensitive files from local AI assistants, specifically OpenClaw. Hudson Rock reported the malware harvested configuration and key material—including openclaw.json, device.json, and agent memory files—allowing token theft, private key access, and capture of users' operational context. The incident underscores risks from plaintext secrets and permissive defaults in agentic tools.

🔒 A new study from ETH Zurich and Università della Svizzera italiana shows that cloud-based password managers, including Bitwarden, Dashlane, and LastPass, can be vulnerable to password recovery and integrity attacks under a malicious-server model. Researchers identified 25 distinct attack variants ranging from metadata leakage and item swapping to full organizational vault compromise. Vendors have issued patches or mitigation roadmaps and say there is no evidence of in-the-wild exploitation.

🔐 A team of researchers from ETH Zurich and USI disclosed 27 successful attack scenarios against cloud-based password managers from Bitwarden, LastPass, Dashlane and 1Password, challenging vendors' zero-knowledge claims. The attacks exploit design and cryptographic flaws — including unauthenticated public keys, missing ciphertext integrity and KDF downgrades — enabling vault compromise, password recovery and mass takeover. Vendors report remediation is underway; users should verify fixes and follow advisories.

🔒 In December 2025 npm completed a major credential overhaul, revoking long‑lived classic tokens and moving to short‑lived session tokens and OIDC Trusted Publishing to reduce supply‑chain risk. While MFA by default and ephemeral per‑run CI credentials limit exposure, optional 90‑day tokens that bypass MFA and successful MFA phishing still permit rapid malicious publishes. Developers should favor OIDC, avoid long‑lived bypassable tokens, and enforce MFA-on-publish where possible to further harden the ecosystem.